httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ramon Casha" <ramon.ca...@megabyte.net>
Subject [users@httpd] Access control advice needed
Date Wed, 09 Apr 2014 07:06:49 GMT
I have a website running drupal which is currently under a continuous
botnet attack, which is causing major performance issues. I'm trying to
use apache's access control mechanism to block these requests. 

Two characteristics of the attack requests are that they all use
HTTP/1.0, and a large percentage of them are within one domain.

When I look at my access log, most requests are coming in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.

i tried blocking access using Apache's Deny From as follows:

<Directory /opt/drupal-7/>
   Options +FollowSymLinks 
   AllowOverride All
   Order Allow,Deny
   Allow from all
   Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>

However this did not work - all requests are still being allowed in.
Note that the /opt/drupal-7 directory is a symlink to the actual
directory which has the full version number.

Also, since all the botnet requests are marked as HTTP/1.0, I tried to
restrict access to the user-registration pages using the protocol, as
follows:

SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
    Order Allow,Deny 
    Deny from env=BadReq 
</Location>

However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
prefix to the user registration page, password-reset page etc. I tried
changing around the Order, adding an "Allow from all" but in each case I
either end up blocking everyone or letting all requests through.

I'd appreciate any advice on how to implement the above or resolve this
issue in some other way.

--
Ramon Casha

Note: I have no control over the disclaimer message that will invariably
appear below.




DISCLAIMER
---------------------- 

The information transmitted in this message and any attachments is strictly confidential and
intended only for the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification
or other use of, or the taking of any action in reliance upon any of the information contained
in this e-mail by individuals or entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the message to
the named addressee and have received this communication in error, you must not disclose the
contents of this e-mail to any other person; or make any copies thereof. If you are not the
named recipient please delete/destroy any and all copies that may exist, whether in electronic
or hard copy for and notify us immediately on the phone number indicated above and provide
us with details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality
of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be
monitored and/or recorded to ensure compliance with internal policies and procedures. We disclaim
all responsibility and liability whatsoever in relation to any errors or omissions that may
reveal themselves in this message and in relation to any damage that may result from any such
errors or omissions. We disclaim all responsibility and liability for any damage that may
arise from the unauthorised acts of third parties and/or the corruption of any data contained
in this message.
Thank you.

Mime
View raw message